Why letsencrypt query my DNS for CAA record?

i try generate SSL key for domains , and finaly errors,

Domain: mail.xxxxxx.dz
Type: connection
Detail: DNS problem: query timed out looking up CAA for mail.xxxxxx.dz

Domain: mail.yyyyyy.dz
Type: connection
Detail: DNS problem: query timed out looking up CAA for mail.yyyyyy.dz

Domain: mail1.zzzzzz.dz
Type: connection
Detail: DNS problem: query timed out looking up CAA for mail.zzzzzz.dz

i have 3 Dns server under PowerDNS 3.x and has no CAA capabilité ???

P.S : sorry for my bad english :slight_smile:

Let’s Encrypt uses CAA to determine whether they’re allowed to issue certificates for a domain name.

You don’t need a CAA record for your domain (IIRC even SERVFAIL or REFUSED would be fine), but a timeout is treated as an error. This seems to have recently been fixed in PowerDNS, but I’m not sure if it has been included in a release yet.

1 Like

Hello @rezgui,

I’m also using PowerDNS 3.x and have no CAA record defined and I’m issuing certificates with no problem at all.

A couple of hours ago Let’s Encrypt performed an update in boulder side and after that they detected several errors due a hardware failure, maybe you tried to issue your cert during that time frame, it’s worth to try again now that seems that problem has been resolved.

Cheers,
sahsanu

1 Like

Is it a good idea to add one nevertheless?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.